none
Problem with logging in to the Password Registration Portal RRS feed

  • Question

  • I installed the FIM Service, Portal, Password Registration Portal and Password Reset Portal on my lab. But for some reason, I am unable to log in to the Password Registration Portal. It keeps prompting for the password and finally I get "Not Authorized. HTTP Error 401. The requested resource requires user authentication". I am using the account that I used for installing those components as this supposed to become the admin for the portal. The apppool and the site is running fine in IIS. Any help?

    Thanks,
    John



    Thursday, October 11, 2012 3:49 PM

Answers

  • Did you set the SPN to the Machine account identity or the App pool user identity?

    Here's the way I set mine up

    • SPN set to the app pool identity
    • useAppPoolCredentials in the applicationHost.config to true
    • Kernel Mode auth set to true
    • Authentication - Windows authentication enabled - all others disabled
    • Windows authentication providers - Negotiate 1st - NLTM 2nd (don't use negotiate:Kerberos)

    Frank C. Drewes III - Architect - Oxford Computer Group

    Thursday, October 11, 2012 10:54 PM
  • Partially right...

    You'll need to change your SPN from using machine creds to a SPN using the app pool creds. If you don't, you can't scale out your portal, because you can't add two machine accounts to the same service/hostname combination (duplicate SPN - which you should catch when you try to register the second if you use the -S switch on SETPSN command) - and you may need to set UseAppPoolCredentials=true in your applicationHost.config file (use IIS Manager - configuration manager.. it's easier (and safer) than trying to modify the .config file directly

    Regsitration doesn't use delegation, so no need for that.


    Frank C. Drewes III - Architect - Oxford Computer Group


    • Edited by Frank Drewes Tuesday, October 16, 2012 9:43 PM
    • Proposed as answer by Avihai HMVP Thursday, October 18, 2012 12:36 PM
    • Unproposed as answer by Avihai HMVP Thursday, October 18, 2012 12:37 PM
    • Proposed as answer by Avihai HMVP Thursday, October 18, 2012 12:37 PM
    • Marked as answer by Just Another FIM Guy Thursday, October 18, 2012 8:00 PM
    Tuesday, October 16, 2012 9:40 PM

All replies

  • You need to set up SPN for password registration and password reset portal. 101%

    setspn -A HTTP/your.password.registration.website domain/iis_app_pool_account

    Thursday, October 11, 2012 5:04 PM
  • Hello,

    Sorry, I should have mentioned earlier - I did setup the SPN.

    Regards,
    John

    Thursday, October 11, 2012 7:38 PM
  • Did you set the SPN to the Machine account identity or the App pool user identity?

    Here's the way I set mine up

    • SPN set to the app pool identity
    • useAppPoolCredentials in the applicationHost.config to true
    • Kernel Mode auth set to true
    • Authentication - Windows authentication enabled - all others disabled
    • Windows authentication providers - Negotiate 1st - NLTM 2nd (don't use negotiate:Kerberos)

    Frank C. Drewes III - Architect - Oxford Computer Group

    Thursday, October 11, 2012 10:54 PM
  • Just Another:

    To add to what Frank states above..........verify that 'Anonymous' is disabled in IIS for the registration site. Only 'Windows Authentication' should be enabled. Conversely, for the password reset site, only 'Anonymous' should be enabled. From what I have seen, when all three portals are installed on same box, it seems as though 'Anonymous' is set by default. Of course, after changing this, you will need to run IISRESET on this machine, this fixed it for me a few weeks ago.

    Friday, October 12, 2012 2:04 AM
  • Hi,

    I have the same problem, I tried to install another registration & reset portal with the same URL (with the same A record but different IP) and it keeps prompting for the username & password and finally I get "Not Authorized .HTTP Error 401".

    I have registration & reset portal installed on the FIM Server and is working properly.

    What could be the problem?

    Thanks for your help

    FIMAVI

    Friday, October 12, 2012 1:32 PM
  • FIMAVI,

    Did you you look at IIS configuration as I described above? This fixed it in lab environment for me and customer I was working with.

    Sunday, October 14, 2012 5:32 AM
  • Hi Glenn,

    I checked the configure and it looks correctly but still have the same problem, I have registration portal on the FIM server and it working properly

    I just want to install another registartion portal to create "load balancing portal" and in this registartion portal it keeps prompting for the username & password.

    I set the SPN HTTP/Passwordregistartion.domain.com to domain\FIMServers$ as described in http://technet.microsoft.com/en-us/library/hh322882(v=ws.10).aspx

    Thanks for your help,

    FIMAVI




    • Edited by Avihai HMVP Monday, October 15, 2012 3:55 PM
    Monday, October 15, 2012 3:52 PM
  • i bet you need to set spn for iss app pool account also... and allow delegation
    Tuesday, October 16, 2012 8:41 AM
  • Partially right...

    You'll need to change your SPN from using machine creds to a SPN using the app pool creds. If you don't, you can't scale out your portal, because you can't add two machine accounts to the same service/hostname combination (duplicate SPN - which you should catch when you try to register the second if you use the -S switch on SETPSN command) - and you may need to set UseAppPoolCredentials=true in your applicationHost.config file (use IIS Manager - configuration manager.. it's easier (and safer) than trying to modify the .config file directly

    Regsitration doesn't use delegation, so no need for that.


    Frank C. Drewes III - Architect - Oxford Computer Group


    • Edited by Frank Drewes Tuesday, October 16, 2012 9:43 PM
    • Proposed as answer by Avihai HMVP Thursday, October 18, 2012 12:36 PM
    • Unproposed as answer by Avihai HMVP Thursday, October 18, 2012 12:37 PM
    • Proposed as answer by Avihai HMVP Thursday, October 18, 2012 12:37 PM
    • Marked as answer by Just Another FIM Guy Thursday, October 18, 2012 8:00 PM
    Tuesday, October 16, 2012 9:40 PM
  • Thanks it works.
    Thursday, October 18, 2012 12:37 PM